Skip to main content
WhyHow It WorksFeaturesPricingBlog
Sign inRequest demo
FRD-FPVVulnerabilityImplementation guide coming soon

False Positive Vulnerability

Also: false positive vulnerability, false positive vulnerabilities

Definition

Verbatim from FedRAMP/rules

A detected vulnerability that is not actually present in an exploitable state in the information resource

Notes

  • This includes situations where vulnerable software or code exist on a machine-based information resource but are not loaded, running, or otherwise in an operating state required for exploitation.
  • This only applies if the vulnerability is not and was not present; a remediated vulnerability or a fully mitigated vulnerability cannot also be a false positive vulnerability.

Used in 1 rule requirement

This term is a defined part of the following FedRAMP rule requirements — when it appears in a rule, this definition applies precisely.

VDR-EVA-EFP

Change history

  • 2026-07-04Initial reset for the Consolidated Rules for 2026 Public Preview.

Source of truth: FedRAMP/rules. Definitions are published verbatim; Boundera adds cross-references and implementation context.